SURVIVABLE C2 // DENIED-ENVIRONMENT MESSAGING

Messaging that survives when nothing else does.

No server to seize. No data center to strike. No way to shut it down.

DeadDrop is survivable command and control. It carries end-to-end encrypted messages peer-to-peer across the Bitcoin Lightning Network, the same rail that moves value. An operator alone in denied territory can reach command in seconds over a single satellite uplink, with no central facility for an adversary to jam, strike, or seize.

OPERATIONAL ON BITCOIN MAINNET


THE PROBLEM

Connectivity-dependent C2 collapses under attack.

Centralized command can be jammed, struck, or erased. Teams, Mattermost, and Signal all route through central servers, so the infrastructure that carries the message is the infrastructure an adversary targets first. Under denied, degraded, intermittent, and limited conditions, that dependency is the failure point. DeadDrop removes it. Every operator runs their own node and their own local relay, so there is no shared server anywhere in the path to jam, strike, or seize.

Capability DeadDrop Signal Mattermost Teams
End-to-end encrypted by default
No shared server in the delivery path
No central facility to strike or seize
Holds for the operator under denied or degraded links
Tamper-evident, Bitcoin-anchored delivery receipts
Identity rooted in an on-chain trust anchor
Self-hosted, on-prem deployable
Present Absent

HOW IT WORKS

Direct delivery. Local fallback. No shared server.

DeadDrop seals every message to the recipient's key and delivers it over the most resilient path available. The primary path is a direct peer-to-peer keysend that carries the sealed message inside a one-satoshi Lightning payment from one node to another, moving traffic directly between agencies and operators in the field. When a direct path is unavailable, the system steps down to a backup path automatically, holding the message in the operator's own local relay until a link returns. Every component runs on hardware the operator controls, and the content stays sealed end to end on every path.

WEBGL ANIMATION MOUNTS HERE

01

Run the stack at the edge.

Each operator runs a self-hosted Lightning node and a local relay on compact hardware. Nothing has a public IP and nothing accepts inbound traffic from the internet.

02

Seal to the recipient.

The client encrypts the message to the recipient's identity key. The private key is generated and held by the client and never crosses the wire.

03

Deliver over Lightning.

The sealed envelope rides a one-satoshi keysend node to node across the network, carrying traffic directly between agencies and operators. No shared server sits in the path. If the direct link is gone, delivery steps down to a backup that holds the message in the operator's own local relay until a link returns.

04

Anchor the receipt.

The message hash is committed to a Bitcoin block, producing a tamper-evident record of delivery.


CAPABILITIES

Resilience the alternatives cannot match.

Survives kinetic attack.

No shared infrastructure carries the comms. Every operator runs their own node and relay, so there is no data center to jam, strike, or erase. The goal path is a direct link between operator nodes.

Holds under DDIL.

When the direct path degrades, the system steps down to a backup automatically and holds each message in the operator's own local instance until a link returns. Communication between agencies and operators survives denied, degraded, and intermittent conditions, and low-bandwidth links carry it.

Tamper-evident delivery.

Every message and file hash is anchored to a Bitcoin block. Delivery produces an immutable receipt, and operators can export a signed transcript.

Sealed end to end.

Messages are encrypted to the recipient's identity key. The relay and the Lightning hops carry ciphertext only. Keys are held by the client and never cross the wire.

Anchor-rooted identity.

Identity is bound to a public key by an on-chain trust anchor, not trust-on-first-use and not a phone number. Proof-of-possession stops a caller claiming a key it does not hold.

Operator-owned at the edge.

Every operator self-hosts the full stack, node and relay, on compact hardware with no public IP. Live telemetry shows link status, hop count, latency, and channel balance.


OPERATIONAL DETAILS

FILE TRANSFER

Large packages move under degraded links.

Files split into hash-sealed chunks that transfer over low-bandwidth, intermittent links. The file is encrypted on the client, the operator's own relay holds ciphertext only, and the key rides sealed inside the message. The plaintext hash is anchored on Bitcoin, so a delivered file is tamper-evident.

ECONOMICS

Operators do not pay to communicate.

Channel capital is parked and recoverable. Each message cycles a single satoshi between the operator's own nodes, so traffic nets to zero. The only real cost is a small Bitcoin network fee at three moments: opening a channel, closing it, and anchoring a receipt.

DEPLOYMENT

Deployable in authorized environments.

DeadDrop runs in the Azure Government cloud on infrastructure aligned to DoD Impact Level requirements. Every message is end-to-end encrypted and the client holds its own keys, so the system is built to move through an Authority to Operate with a sponsoring component.


IN THE FIELD

Denied territory. Seconds to command.

Drop an operator into territory that blocks all internet access. With DeadDrop and a satellite uplink, they reach command in seconds, every message sealed end to end, every delivery anchored to a Bitcoin block, and no infrastructure an adversary can reach.


Request an operational briefing.

We walk through the threat model, the node hardware, the delivery model, and a live demonstration of messaging across a network with no center. Bring the environment you need to operate in.